Abnormal behaviour of login Part II - if I don't clear my browser cache, anyone who uses my PC can log in as me by clicking one of the Social Networking logo login icons

[frankiekam]

Hi Mouneyrac

I'm using Google Chrome.

1. I managed to login using my Google account into my Moodle site.
2. Then I logout and login as the Moodle admin user.
3. I delete my Moodle Google-user (the moodle account with my Gmail account in it).
4. I then logout from my admin account. I can only see the Google logo.
   I can't see the other two FB or Messenger/Live/Outlook.com logos.
5. I click on the Google login icon and I'm back in again!!
6. Shouldn't the plug in force me to re-enter my Gmail username and password?
   Seems to be a dangerous security issue here - if I don't clear my Chrome's browser cache, this happens. If I clear my chrome's cache, the username and password fields
   appear. So if I don't clear my chrome's cache, I could be asking for trouble.

BTW, the same thing happens if I choose to do my initial login with FB. Or with Messenger/Live/Outlook.com.

Kindly advise, help!
Frankie Kam
http://moodurian.blogspot.com

[mouneyrac]

Hi Frankie,

I can't see the other two FB or Messenger/Live/Outlook.com logos
If you saw the other logos the first time on the Moodle login page, then the second time you should see a link letting you know you can choose a different provider that the one you logged in with the first time. My plugin remembers what provider you used and it doesn't offer the user to pick a "wrong" different provider by default (to do it you need to click on the link).

1. I click on the Google login icon and I'm back in again!!
2. Shouldn't the plug in force me to re-enter my Gmail username and password?
   Seems to be a dangerous security issue here

it works like that everywhere on internet, check other sites that allow to use Google/Facebook/... to log in. And it's actually all the charm of Oauth2, it's just transparent to the user.

What you may not know it's that when you click on the Google logo you are redirected in a Google page (google.com ...). Google detects you are already logged-in Google (maybe you were logged in Gmail, google drive, maybe you were logged with the plugin, or you were logged with another site using sign-in with Google...) ,and so Google doesn't ask you to log in. Then Google redirects you to Moodle. All that is transparent to the user because neither Google, neither the plugin, send any html to the browser, so the browser doesn't display anything till Moodle send some html for the front page. And the user feels like he has just been connected. It's a great user experience.

The only issue I can see with Ouath2 is that the user is logged in Google (he did log in Google after all) and the user need to log out from Google manually (by Gmail, google drive... any google page).

[mouneyrac]

Frankie I'm closing this issue. Let me know on your first issue if you success to make the "see other providers" link works.